My home server runs on an old desktop PC, bought at a discounter. But as we have bought several identical ones, we have both parts to upgrade them (RAM!) as well as organ donors for everything else.

I know. I was there, before Sanford Wallace invented the email spam and forced any sane SMTP server into password protections and whitelists.

“Low volume” vs. “A few hundred mails per month”

OK, what of the above?

You should put fixed IP addresses outside the DHCP allocation range. While a DHCP server might be smart enough to exclude a fixed address automatically, this is not a must. So better safe than sorry.

I just dropped Kbin from my bookmarks yesterday. I’m sad to see it gone, as it had some nice features.

I’m using IONOS for more than a decade now, and it works fine. I’m not into too much of web design, though, the personal web site is just a storage facility to move files around. I think they have quite some tools to develop professional web sites. Also allows for SSH access, which was helpful when I could not delete some files with filezilla.

Mail is good, too (Domain + 10 email accounts + catchall).

This is not a bandaid, this is the solution. What you try is, at least for this scenario, the band aid.

I only look into kbin.social occasionally to see if they finally got their spam problem under control. They were nice maybe a year ago, but now it is a dumpster fire with half the main page being ads for drugs and junk services.

You don’t own anything that is not on your own system and/or without any DRM.

Well, I think it is necessary if you have mobile devices. Anything nailed down should be connected by wire, but if it is mobile, it should get the connection. Especially if the cell phone link is not that good inside the house.

MAC whitelist.

I know that this would be the most secure way. But I seriously doubt that this level is necessary in a normal home network.

That’s what MAC whitelists are for. Your DHCP server should be able to handle this.

Identify your friendly devices and give them one setting with everything (full subnet and correct default GW). Identfy your IoT devices, and give them another (full, or specially limited subnet mask, and fake default GW, maybe a different nameserver, too). Anything else is guest and gets a very limited subnet mask and a working default GW.

I’m pretty sure I don’t do this ;-) I know how routing works.

Then why don’t you ask the people who do this?

But you don’t need several LANs for this. This can easily done with proper routing. A can access internet and internal network addresses. B can only access internet, and C can only reach internal addresses.

Why would you want to do this, anyway? Or, as I as a developer regularly have to ask our sales people: what do you actually want to achieve that led you to this question?

Keep in mind that AD, Office, and Exchange is he holy trinity of getting hacked in the last years.

There are companies that sell parts from used servers, e.g. SAS controllers for PCI.

I’ve got systems that can detect suspicious activities in the net, which result in a shutdown of the router. And not like “could you please shut down” but a hard power off type of shutdown.